JP2008176352A - Computer program, computer apparatus, and operation control method - Google Patents

Abstract

An object of the present invention is to suppress the activity of a specific program having a function of terminating its own process by recognizing that it has been analyzed.
In a computer 10, a process generation monitoring unit 12 existing in a kernel segment 11 (operating in a kernel mode) monitors the generation of a new process. For example, processes 14a to 14d are newly generated. Is notified to the monitoring module generation unit 13 operating in the user mode. Then, the monitoring module generation unit 13 monitors each of the processes 14a to 14d by, for example, monitoring modules 15a to 15d that perform processing such as monitoring a specific API call and terminating the process if there is a call. inject.
[Selection] Figure 2

Description

  The present invention relates to a computer program or the like for controlling the operation of a specific program having a function of terminating its own process by recognizing that it has been analyzed.

With the spread of the Internet, the damage caused by malicious programs via the network is increasing rapidly. Here, the malignant program is also called “malware” and is a malicious program that performs an operation undesirable for the user. For example, a program that intrudes into a computer to perform destructive activities, infects other computers, or leaks information to the outside corresponds to this, and so-called computer viruses are one example.
There have been various proposals for checking computer viruses (see, for example, Patent Document 1). In Patent Document 1, the presence / absence of a virus is detected based on virus pattern data recorded in a virus pattern database for an email to be distributed.

JP 2002-368820 A

  By the way, in recent years, damage caused by a kind of computer virus called bot has been increasing rapidly. A bot is a malicious program that performs self-replication via a network in the same way as a worm, but differs greatly from a conventional worm in that it can be controlled from the outside. A conventional worm is an automan that operates as programmed. On the other hand, after the bot is infected with a vulnerable computer, the bot connects to a control server called a C & C (command & control) server and waits for an instruction from a bot administrator (bot-herder). As a result, a network of bot-infected computers centering on the C & C server, that is, a botnet is formed along with the self-propagation of the bot, and the bot administrator sends an instruction to the C & C server to the botnet. It is possible to simultaneously control thousands to tens of thousands of connected bots.

  Moreover, the background of such bot distribution is that the bot itself has been developed by an open source method. The bot source code is widely distributed on the Internet. Therefore, anyone can develop their own bot by obtaining the source code and modifying it. For this reason, hundreds to thousands of subspecies exist for one kind of bot.

  For example, there is a problem that the activity of a malicious program in which a huge number of variants appear in a short time like this bot cannot be suppressed only by matching with virus pattern data as in Patent Document 1. .

  The present invention has been made in order to solve the technical problems as described above, and its purpose is the activity of a specific program having a function of terminating its own process by recognizing that it has been analyzed. It is to suppress.

  For this purpose, the present invention reverses this function for a specific program having the function of terminating a process generated by executing itself by recognizing that the process has been analyzed. I tried to suppress that activity. That is, the computer program of the present invention has a function for detecting in the execution mode of the OS (Operating System) that a new process is generated by executing the program on the computer, and for the generated process, By performing a process for misidentifying that the program is analyzed, a function for terminating the process is realized if the program is a specific program.

Here, in the function to be terminated, first, the process for causing the generated process to misidentify that there is a debugger analyzing the program even though there is no debugger analyzing the program. It is conceivable to apply it.
In such a case, the API (Application Program Interface) that returns information indicating whether or not there is a debugger that analyzes the program is hooked, and the process that returns information that there is a debugger that analyzes the program is misidentified. You may be made to perform as this process.
In addition, a process of including an instruction that generates a breakpoint exception in an execution code of a program expanded in a memory allocated to a process may be performed as a process for misidentification.
Furthermore, if an API that returns information indicating whether or not the specified file exists is hooked and a specific file that exists when the program is analyzed by a specific debugger is specified when the API is called, The process of returning information indicating that the specific file exists may be performed as a process for misidentification.
Furthermore, an API for returning a value related to time may be hooked, and a process for returning a value related to time such that the difference from the value related to time returned previously becomes a predetermined value or more may be performed as a process for misidentification. .

Secondly, in the function to be terminated, the generated process is mistakenly recognized as having a virtual machine environment for analyzing the program even though there is no virtual machine environment for analyzing the program. It is also conceivable to perform the process.
In that case, the process of rewriting the MAC address of the computer and the process of generating the setting data added by the installation of the software that provides the virtual machine environment may be performed as processes for misidentification.

  Furthermore, the present invention suppresses the activity by reusing this function for a specific program having the function of terminating the process generated by executing itself by recognizing that the process is being analyzed. It can also be understood as a computer device. In that case, the computer apparatus of the present invention is configured to detect in the OS execution mode that a new process is generated by executing the program, and the program is analyzed with respect to the generated process. And processing means for ending the process if the program is a specific program by performing a process for making it mistaken.

  On the other hand, the present invention suppresses the activity by reusing this function for a specific program having the function of terminating the process generated by executing itself by recognizing that the process is being analyzed. It can also be seen as a way to do it. In this case, the operation control method of the present invention includes a step of detecting in the OS execution mode that a new process has been generated by executing the program, and the program is analyzed with respect to the generated process. If the program is a specific program, a process for terminating the process is included.

  According to the present invention, it is possible to suppress the activity of a specific program having a function of terminating its own process by recognizing that it has been analyzed.

The best mode for carrying out the present invention (hereinafter referred to as “embodiment”) will be described below in detail with reference to the accompanying drawings.
The present inventors have conducted a primary analysis of the obtained source code as part of a botnet fact-finding survey so far, and the bot has a function that interferes with the analysis operation by a debugger or the like (hereinafter referred to as `` analysis resistance function ''). It was confirmed that it was equipped. The anti-analysis function is designed to terminate its own process when it detects signs of analysis, such as attaching a debugger to the bot itself, and its purpose is to delay and make program analysis by anti-virus vendors, etc. It is done.
In this specification, we propose a method to stop this operation by reversing this mechanism and causing a malicious program with anti-analysis function such as a bot to misunderstand the signs of analysis. We also show the effectiveness of the proposed method through evaluation of the implemented prototype.

The inventors analyzed the source code of Agobot, which is a typical bot, in detail. As a result, Agobot has the following analysis resistance functions of A and B. Use the analysis resistance function during the initialization process to check the signs of analysis for itself, and If any signs were seen, it was found that the initialization process was interrupted and the process was terminated. It was also found that the analysis resistance functions of A and B are realized by using the methods A-1 to 4 and B-1 to 2, respectively.
A. Detection of debugger A-1. Use of IsDebuggerPresent API A-2. Detection of breakpoint A-3. Detection of SoftICE (registered trademark) A-4. Measurement of execution time Detection of virtual environment B-1. Detection of VMware (registered trademark) B-2. Detection of Virtual PC

First, details of the anti-analysis function that could be confirmed through the Agobot source code analysis will be described.
A. Detection of debugger A-1. Use of IsDebuggerPresent API In Windows (registered trademark), when a process is generated, a process environment block (PEB) is automatically generated by the OS. Various parameters relating to the process are stored in the PEB, and a BeingDebugged flag exists in one of them. The BeingDebugged flag is initialized to a false value when a process is generated, but is set to a true value when a debugger is attached by the DebugActiveProcess API or the like. The IsDebuggerPresent API, which is a standard API of Windows, can read the value of this BeingDebugged flag, and Agobot uses this API to detect the presence or absence of a debugger.

A-2. Breakpoint detection The debugger can stop program execution at any point by setting a breakpoint in the program. This is realized by inserting a machine language instruction (INT3 instruction) that generates a breakpoint exception at an execution code portion of a program to be stopped. When the program executes the INT3 instruction, a breakpoint exception occurs, and this exception is handled by the CPU. The CPU confirms the presence or absence of the debugger, and when the debugger is attached to the process in which the exception has occurred, the CPU leaves the processing to the debugger. Agobot periodically scans its own execution code expanded on the memory, and detects the debugger by checking whether or not the INT3 instruction is inserted.

A-3. Detection of SoftICE SoftICE is a high-performance kernel mode debugger used in a debugger such as a device driver. Installing SoftICE on the system creates a special namespace on the NT file system for the debugger to access kernel mode. Agobot confirms the existence of this name space to detect the debugger together with the presence of SoftICE on the system.

A-4. Measurement of execution time A general debugger can freely interrupt processing of a program by setting a breakpoint at an arbitrary position as described above. In addition, by using a debugger having a single step execution function, the execution of the program can be interrupted for each instruction in the CPU. When analysis using such a debugger has been performed, it takes an extremely long time to execute processing that normally ends in about a few seconds. Agobot obtains the current time at the beginning and end of the analysis-resistant function, and if the difference between the two values exceeds the set threshold (5 seconds), it determines that analysis is being performed by the debugger. Yes.

B. Detection of Virtual Environment The detection of the virtual environment is intended to detect the presence of VMware, which is software that provides a virtual machine environment, and the Virtual PC. Here, the description will focus on VMware detection.
In VMware, an OS that provides a virtual machine environment is called a HostOS, and an OS that runs on a virtual machine is called a GuestOS. Since the HostOS and the GuestOS are in a logically separated environment, the malicious program can be safely analyzed by executing the malicious program on the GuestOS.
However, a secret function for exchanging some control information, called VMware Backdoor I / O, exists between HostOS and GuestOS, which are logically separated environments. VMware Backdoor I / O is realized by using an in command for a specific I / O port, and various control information can be exchanged by setting an arbitrary command number in the CPU register. It has become. An example of the correspondence between command numbers and functions in this VMware Backdoor I / O is shown below.

  Agobot obtains VMware version information from VMware Backdoor I / O, and determines whether the environment in which the current process is currently executed is in GuestOS.

Next, the implementation of the technique for misidentifying the debugger detection using the IsDebuggerPresent API of A-1 and the effectiveness thereof will be described. The reason for selecting the IsDebuggerPresent API method was that it was speculated that it was also used by other malicious programs as a debugger detection method based on the detailed analysis of the source code of Agobot. This is because it is relatively easy to compare with the debugger detection method.
The IsDebuggerPresent API is a function that returns a true / false value indicating whether or not the process that called this API is being debugged at that time. In this embodiment, a mechanism is implemented in which a return value when a malicious program calls this API is always true.

First, a hardware configuration of the computer 10 suitable for applying this embodiment will be described.
FIG. 1 is a diagram showing an example of the hardware configuration of such a computer 10.
As shown in the figure, a computer 10 includes a CPU (Central Processing Unit) 10a which is a calculation means, a main memory 10c connected to the CPU 10a via an M / B (motherboard) chip set 10b, and an M / B chip set. And a display mechanism 10d connected to the CPU 10a via 10b. Further, a network interface 10f, a magnetic disk device (HDD) 10g, an audio mechanism 10h, a keyboard / mouse 10i, and a flexible disk drive 10j are connected to the M / B chip set 10b via a bridge circuit 10e. Has been.

  In FIG. 1, each component is connected via a bus. For example, the CPU 10a and the M / B chip set 10b and the M / B chip set 10b and the main memory 10c are connected via a CPU bus. Further, the M / B chipset 10b and the display mechanism 10d may be connected via an AGP (Accelerated Graphics Port), but if the display mechanism 10d includes a PCI Express compatible video card, the M / B The chip set 10b and the video card are connected via a PCI Express (PCIe) bus. When connecting to the bridge circuit 10e, for example, PCI Express can be used for the network interface 10f. For the magnetic disk device 10g, for example, serial ATA (AT Attachment), parallel transfer ATA, or PCI (Peripheral Components Interconnect) can be used. Furthermore, USB (Universal Serial Bus) can be used for the keyboard / mouse 10i and the flexible disk drive 10j.

Next, an implementation of a technique for misidentifying debugger detection in this embodiment will be described.
In the present embodiment, process generation is first monitored by a device driver operating in the kernel mode, and information on the generated process is notified to a service application operating in the user mode. Next, the service application that has received the generated process information injects a DLL (dynamic link library) in which a fake IsDebuggerPresent API process is implemented into a malicious program. In addition, here, it is expressed as “false” for convenience, but actually, as will be described later, when the IsDebuggerPresent API is called, the implementation path is changed to another process prepared in advance. .

FIG. 2 is a diagram schematically showing a software configuration of the computer 10 when misdetecting debugger detection using the IsDebuggerPresent API.
As shown in the figure, the kernel segment 11 stores a code of a device driver that functions as the process generation monitoring unit 12. That is, the process generation monitoring unit 12 is a program (a program resident in the system) that operates in the kernel mode (OS execution mode). The process generation monitoring unit 12 monitors the generation of a new process and detects when a process is generated. Then, as shown in (1), information on the generated process is notified to the monitoring module generation unit 13 operating in the user mode. That is, in the present embodiment, the process generation monitoring unit 12 is provided as an example of a detection unit that detects in the OS execution mode that a new process has been generated.

On the other hand, in the user mode, a plurality of processes are usually executed. In the figure, four processes are shown as processes 14a to 14d. That is, for these processes, at the time of generation, the process generation monitoring unit 12 detects the generation of the process and has already notified the monitoring module generation unit 13 of the process information.
When the process information is notified in this way, the monitoring module generation unit 13 injects the monitoring module into the notified process. That is, as shown in (2), the monitoring modules 15a to 15d are forcibly loaded to the text segment assigned to the process. Here, the monitoring module is, for example, a DLL. However, as described above, the DLL has a mechanism such that another process prepared in advance is executed when the IsDebuggerPresent API is called. In other words, in the present embodiment, the monitoring module generation unit 13 is used as an example of a processing unit that performs a process for misidentifying that the program is analyzed on a process generated by executing the program. Provided.
As a result of the forcible load, the monitoring modules 15a to 15d monitor the operation of the own process as shown in (3). Then, when the IsDebuggerPresent API is called, alternative processing is executed, and the own process ends.

Next, the operation of the present embodiment will be described.
FIG. 3 is a sequence diagram showing an operation example of the process generation monitoring unit 12 and the monitoring module generation unit 13 in the present embodiment.
First, the process generation monitoring unit 12 determines whether or not there has been a termination instruction for reasons such as system shutdown (step 101). If there is a termination instruction, the process is terminated. If there is no termination instruction, a new process is created. It is determined whether it has been done (step 102).
As a result, if it is determined that a new process has not been generated, the process returns to step 101. However, if it is determined that a new process has been generated, a new process generation notification is transmitted to the monitoring module generation unit 13 ( Step 103).
As a result, the monitoring module generation unit 13 receives a new process generation notification (step 104). Then, an injection process of the monitoring module is performed (step 105).

In this monitoring module injection process, in the present embodiment, the execution code of the hook target API loaded on the memory is rewritten with a code that jumps to an arbitrary address, and the alternative process at the jump destination is executed. Use (Detours hook).
Next, the operation at this time will be described.
FIG. 4 is a flowchart showing an operation example of the monitoring module injection processing by the monitoring module generation unit 13.
First, the monitoring module generation unit 13 loads the DLL into the memory (Step 201). Next, the address of the alternative process is acquired (step 202). Here, the alternative process is a process that always returns true (being debugged) instead of returning whether or not it is debugged with reference to the BeingDebugged flag as in the IsDebuggerPresent API. Then, the monitoring module generation unit 13 rewrites the top of the execution code of the hook target API with a code that jumps to the address acquired in Step 202 (Step 203).

  The configuration using the driver and the service application adopted in the present embodiment is the same as that of general antivirus software. However, the technique of reusing the anti-analysis function of the malicious program itself to suppress its activity is different from the conventional antivirus software that analyzes the operation pattern of the malicious program and stops the operation after detecting it. The possibility of activity suppression can be expected even for malicious programs that have many variants that cannot be handled by the signature method, which is the mainstream virus detection method.

By the way, in the present embodiment, the API hook technique as described above is adopted. However, there are several other techniques for hooking an API call to a normal Windows32 native program and changing its processing. There is such a method.
The following methods are commonly used. That is, a code for replacing the processing of the hook target API and a code for performing a message hook using the SetWindowsHookEx API are implemented in the DLL. Then, another execution program for controlling (starting / ending) the hook is created, and the thread ID of the target process to which the API hook is to be executed is designated from the program, and a function for performing the DLL message hook is called. As a result, the DLL in which the code to be replaced with the target process is loaded. In the DLL initialization routine, the method of rewriting the execution address of the regular API stored in the IAT (Import Address Table) of the import section in the process memory of the target process with the address of the function in the loaded library (IAT API Hooking). However, with this method, two problems can be considered when API hooking is performed on a malicious program.

(1) Problems at the stage of loading DLL
In the message hook using the SetWindowsHookEx API, the hook is started when the window message is first processed by the target program. Therefore, an API call cannot be hooked in a console program that does not have a debugger detection or GUI immediately after the start of the program (a window message is not generated when the program is started normally). In general, malicious programs do not often have a GUI, and debugger detection is often performed immediately after the start of the program, so this method is considered to be ineffective. Furthermore, since the timing at which a malicious program is executed is unpredictable, in order to function as a practical system, a program that resides in the system and monitors process generation is required.

(2) Problem of API hook execution by rewriting IAT A malicious program obfuscated or compressed by tools such as packers does not have an IAT in the import section unlike a normal program, and dynamically acquires the API address. It is confirmed by analysis that there is something to do. Such a malicious program cannot be API hooked by rewriting the IAT.

Therefore, in the present embodiment, as a method for solving the problem (1), a process generation monitoring unit 12 as a device driver that operates in the kernel mode is provided, and thereby a process generation is monitored.
Also, as a method for solving the problem (2) above, instead of the API hook by rewriting the IAT, the head of the execution code of the hook target API loaded on the memory is rewritten to a code that jumps to an arbitrary address, and the jump The configuration that executes the alternative process is adopted.

The implementation described above was evaluated using samples of malignant programs collected from April 2005 to May 2006 by the Honeypot Super-Honey operated mainly by Telecom-ISAC Japan. Therefore, the contents of this evaluation will be described below.
First, as an evaluation method, a debugger detection reverse system composed of drivers, service applications, and DLLs is installed on Windows XP SP1, which is a GuestOS on VMware, and a sample of a malicious program is executed in that environment. The effectiveness was evaluated. The sample of malignant program used for the evaluation was 17,257 different hash values collected by the honeypot Super-Honey.
Judgment of effectiveness was made based on whether or not the process was completed within a specified time as a result of executing the sample program and the reason for the completion. In this evaluation, a waiting time of 10 seconds was set. Specifically, the following functions (1) and (2) are used to analyze whether the sample process is completed within 10 seconds after execution and the log file of the process completed within 10 seconds, and then the IsDebuggerPresent API After that, it was determined that the method of the present embodiment is effective for a sample that has finished calling ExitProcess API.
Function (1): Implements log output processing in DLL, and keeps a record of hooks of IsDebuggerPresent API for DLL loading and debugger detection.
-Function (2): Records information related to process termination by hooking the ExitProcess API called when a normal program terminates.
FIG. 5 shows a log output example in which it is determined that the method of this embodiment is effective.

The operating environment when this evaluation is performed is as follows.
-Do not connect to the network (make the network interface unconnected with VMware).
-Patches that make it impossible to detect that an executed program has been executed in the VMware environment are not applied.
・ Every time one malicious program is executed, the snapshot function of VMware is used to return to a clean environment.

The evaluation results are as follows.
(1) Targeting the highest number of captured samples In order to evaluate the effectiveness of malicious programs that are likely to be infected with vulnerable hosts on the Internet, the 89th most captured in the honeypot The evaluation results for the samples up to are as follows.
・ Thirty-seven kinds, 37%, were completed within 10 seconds.
-There was no sample that ended by calling the IsDebuggerPresent API.
(2) When all captured samples are targeted The evaluation results for all 17,257 types of samples captured in the honeypot are as follows.
First, the sample execution results are shown in the following table.

  The breakdown of the reasons for termination of specimens completed within 10 seconds is shown in the following table.

-Approximately 37% of the 6,378 types are executable files, and the remaining 10,879 types (about 63% of the total) were non-exe executable files such as dll and sys files.
-Of the 6,378 types that could be executed alone, there were 1,320 samples that ended within 10 seconds, but 3,341 types of samples did not end after 10 seconds.
-Among the samples that ended within 10 seconds, there were 101 types of samples that ended after calling the ExitProcess API after calling the IsDebuggerPresent API.

The inventors made the following considerations based on the evaluation results as described above.
First, it can be inferred from the evaluation experiment targeting the specimens with the highest number of captures up to the 89th that a malignant program with a high infection rate is very likely to have multiple anti-analysis functions.
In addition, in the evaluation experiments for all the captured specimens, the existence of 10,879 types of executable files that are not exe format such as dlls and sys files (about 63% of the total) is not only the file that the honeypot Super-Honey is an executable format. This is because the malicious program has a function to collect files used as its own parts. Therefore, in the evaluation, 6,378 types (about 37% of the total number of captures) that can be executed alone are considered as parameters.
For 3,341 types (approximately 52% of the total number of executable samples), the process did not end even after 10 seconds, and it was said that the process was clearly ineffective. Of the samples that ended within 10 seconds, the call to IsDebuggerPresent API After that, there are 101 types of samples (about 1.6% of the total number of executable samples) that are terminated by calling the ExitProcess API, and it can be determined that the method of the present embodiment is effective. Furthermore, when the detection names of the 101 types of specimens were investigated by the anti-virus software, the results shown in FIG. 6 were obtained. This technique worked for about 1.6% of the total number of executable specimens. Although the numerical value itself is low, the significance of the effectiveness of the present method for the RBOT, SPYBOT, and SDBOT systems with a large number of variants is considered significant. Next, from the result that 1,320 types, which are about 20% of the executable samples, were completed within 10 seconds from the start of the process, detection of virtual environment such as VMware and network connection status was detected, and the operation was performed. It is thought that it has been terminated, and by using the anti-analysis function other than the IsDebuggerPresent API used this time, it may be possible to expect an activity suppression effect for 10-20% of executable malicious programs Seem.

Then, next, the method of reusing the analysis resistance function other than IsDebuggerPresent API is described.
A-2. Breakpoint detection In this case, for the address on the text segment that is supposed to be read by the breakpoint detection routine of the malicious program, the address data is rewritten to the INT3 instruction (0xCC) by memory patching. As a result, since a breakpoint is set, it can be seen that the malicious program that scans its execution code on the text segment is being debugged.

A-3. Detection of SoftICE In this case, if the CreateFile API is hooked and the first argument is "\\. \ NTICE", the return value is set to something other than 0xFFFFFFFF (INVALID_HANDLE_VALUE), so that it is debugged with SoftICE Show off. Specifically, if the first argument of CreateFile API is “\\. \ NTICE”, an alternative process that returns a value other than 0xFFFFFFFF is prepared in advance, and the beginning of the CreateFile API execution code is Rewrite the code to jump to the address.
Here, the CreateFile API can be considered as an example of an API that returns information indicating whether or not a specified file exists.

A-4. Execution time measurement
Hook the GetTickCount API and do the following:
When GetTickCount API is called, the value obtained is stored. Then, when GetTickCount is called next time, the obtained value is compared with the stored value (previous result), and a value with a difference of 5000 or more is set as a return value, thereby making it appear that step execution by the debugger is performed. The value of 5000 is a reference value obtained by Agobot source analysis. Specifically, an alternative process that refers to the previous value returned by the GetTickCount API and returns a value that is 5000 or more of the difference is prepared in advance, and the top of the execution code of the GetTickCount API is set to this alternative process. Rewrite the code to jump to the address.
Here, the GetTickCount API can be considered as an example of an API that returns a value related to time.
In the above description, only A-1 to A-4 are shown as the analysis resistance function related to the detection of the debugger. However, other analysis resistance functions other than this may be reversed to perform processing that makes it appear that analysis is being performed.

Furthermore, a case where the detection of the virtual environment is misidentified will be described. Here, the MAC address and the registry are counterfeited for misidentification.
B-1. For VMware Change the upper 3 bytes of the MAC address to 00-0c-29. Then, setting data (for example, registry key) added by installing VMware is added.
B-2. For Virtual PC Change the upper 3 bytes of the MAC address to 00-03-FF. Then, setting data (for example, a registry key) added by installation of Virtual PC is added.

  In the present embodiment, it has been described that the activity is suppressed by misidentifying that the malicious program is analyzed. However, this method can be applied to any program having a function of terminating its own process upon recognizing that it has been analyzed regardless of whether it is “malignant” or not.

  As described above, in the present embodiment, by recognizing that the process itself is analyzed, the specific program having the function of terminating the process itself can be reversed and misunderstood as being analyzed. I did it. This made it possible to suppress the activity.

It is a hardware block diagram of the computer to which this Embodiment is applied. It is the figure which showed the software configuration of the computer in this Embodiment. It is the sequence diagram which showed the operation example of the process production | generation monitoring part and monitoring module production | generation part in this Embodiment. It is the flowchart which showed the operation | movement of the monitoring module injection | pouring process by the monitoring module production | generation part in this Embodiment. This is an example of log output that is determined to be effective in the evaluation of the present embodiment. In the evaluation of the present embodiment, it is the result of investigating a sample that is determined to be effective by using antivirus software.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Computer, 11 ... Kernel segment, 12 ... Process production | generation monitoring part, 13 ... Monitoring module production | generation part, 14a-14d ... Process, 15a-15d ... Monitoring module

Claims (10)

A computer program for controlling the operation of a specific program having a function of terminating a process generated by executing itself by recognizing that the process is being analyzed,
On the computer,
A function for detecting in the execution mode of the OS (Operating System) that a new process is generated by executing the program;
A computer program for realizing a function of ending the process if the program is the specific program by performing a process for causing the generated process to be misidentified that the program is analyzed.   The function for terminating is to perform a process for causing the generated process to misidentify that there is a debugger analyzing the program even though there is no debugger analyzing the program. The computer program according to claim 1.   In the function to be terminated, a process of hooking an API (Application Program Interface) that returns information indicating whether or not there is a debugger that analyzes the program and returning information that there is a debugger that analyzes the program is performed. The computer program according to claim 2, wherein the computer program is executed as a process for making the user misidentify.   2. The function for terminating, wherein a process of including an instruction for generating a breakpoint exception in an execution code of the program expanded in a memory allocated to the process is performed as the process for causing a misunderstanding. 2. The computer program according to 2.   In the function to be terminated, an API that returns information indicating whether or not a specified file exists is hooked, and a specific file that exists when the program is analyzed by a specific debugger is specified when the API is called. If it is, the computer program of Claim 2 which performs the process which returns the information that the said specific file exists as a process for making it misidentify.   In the function for ending, hooking an API that returns a value related to time, and performing a process of returning a value related to a time such that the difference from the value related to the time returned last time is equal to or greater than a predetermined value is performed as the process for misidentification. The computer program according to claim 2.   In the function to be terminated, processing for causing the generated process to misidentify that there is a virtual machine environment for analyzing the program even though there is no virtual machine environment for analyzing the program. The computer program according to claim 1, wherein the computer program is applied.   In the function to be terminated, a process of rewriting the MAC address of the computer and a process of generating setting data added by installation of software that provides the virtual machine environment are performed as the process for misidentification. The computer program according to claim 7. A computer device that controls the operation of a specific program having a function of terminating a process generated by executing itself by recognizing that the process is being analyzed,
Detection means for detecting in the execution mode of the OS that a new process has been generated by executing the program;
And a processing means for ending the process if the program is the specific program by performing a process for misidentifying that the program is analyzed with respect to the generated process. Computer equipment to do. An operation control method for controlling the operation of a specific program having a function of terminating a process generated by executing itself by recognizing that the process is being analyzed,
Detecting in the OS execution mode that a new process has been generated by executing the program;
And a step of ending the process if the program is the specific program by performing a process for misidentifying that the program is analyzed with respect to the generated process. Control method.

Images